An unsettled Outlook…

Microsoft announced on 14th March that they had patched a bug in Outlook (CVE-2023-23397) which allows an NTLM Relay attack. This advisory talks through what a relay attack is and why it matters; how the vulnerability can be exploited; the interesting history behind this; and some ideas about mitigations.

What’s a relay attack?

At its simplest, a relay attack allows an attacker to steal a hashed version of a user’s passwords. Once the attacker has that hash, they can relay the client’s credentials in an attempt to authenticate to servers.

Microsoft introduced NT Lan Manager (NTLM) as a means of authenticating users well over 20 years ago. Although many systems long ago moved on to Kerberos (which is rather more secure), many legacy systems and applications still support or use NTLM – so it’s very difficult to remove. It’s a challenge-and-response protocol, and works like this:

The challenge and authentication routine isn’t the problem. The issue is that it’s too easy for an attacker to get into the middle of the process, impersonate the genuine client, and then use the credentials to get access to which they are not entitled.

The vulnerability

It’s a vulnerability triggered by a specifically crafted kind of email. There’s a long history of this, going back to the days when malicious actors would drop a single-pixel image into a mail message. This would link back to a URL encoded in UNC format (which \\looks\like\this). The computer would see this, and it would send an NTLM response, which the attacker would capture.

That hole was patched; unfortunately, people keep discovering new holes. The latest one is a parameter called PidLidReminderFileParameter – it normally sets what sound is played if the user receives a reminder. But if you change that parameter to point to a UNC path to an external IP address, the attack is triggered. And not only that: Microsoft say that the email “triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” So there’s nothing a user can do to prevent it.

All versions of Outlook for Windows (including the apps you use with Microsoft 365) are vulnerable. The only good news is that Outlook for Android, iOS, or macOS are not affected (because NTLM is a Windows construct), and online services like Outlook on the web and Microsoft 365 don’t use NTLM either.

The history

Microsoft announced the vulnerability as a zero-day – meaning that the criminals found the flaw first and worked out how to exploit it before Microsoft knew anything about it. However, the credit for its discovery was partly given to CERT-UA, the Ukrainian cyber emergency response team. There are indications that a well-known Russian actor associated with their military intelligence organisation (GRU) has been using this exploit since as early as April 2022.

Mitigation

The obvious advice is to apply the patch for this particular vulnerability - and do so as soon as possible. But as we’ve seen, NTLM relay attacks keep happening. What else can you do?

Microsoft suggests one answer may be adding users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. As we’ve seen there are still a number of applications that require NTLM, and this may cause inconvenience to users; also, if you drop out of the Protected Users group the vulnerability returns. But it is very much worth considering for high value accounts like Domain Admins.

Microsoft also suggests blocking TCP 445/SMB outbound from your network. Unfortunately, this is not so helpful. While it’s traditional to use port 445, there is nothing to stop the traffic from being rerouted to a different port altogether. What’s really needed is proper egress filtering of what goes out through the firewall – allowing only appropriate traffic types through the appropriate port (eg HTTP traffic would be allowed through on port 80, but not SSH traffic).

This can be time-consuming. On the other hand, if the attacker knows to send the email to someone who has access to crown-jewels documentation, it might turn out to be a valuable investment.